April 2014

Killing patents, part 2

If you’re like at least a quarter of the people who read my original article, “Am I evil, or is killing patents just plain fun?” a few days ago, you probably read the title of this post as “Killing parents part 2” or “Killing patients part 2.” I have to wonder how many people originally clicked it simply for that reason.

This is but one of the many responses I got, however. Overwhelmingly, people who responded to the article were in favor of at least reforming software patents, and many favored getting rid of software patents altogether. I expected at least a few responses to my challenge, but so far the only patent posted is one that hasn’t yet been granted, and I suspect won’t be.

This may be sampling bias, as there are relatively few people producing software patents, and even fewer who actually want to be. Most people don’t have any real motivation to go find them, unless they want to win the prize of forcing me to write a post about how great patents are. Regardless, the fact that not a single one of the nearly 40 thousand people (almost all software developers, and smartasses too, if I had to guess) who saw this article pointed to one good patent is fairly telling, at least to me.

Several people were skeptical that submitting prior art to Ask Patents would have any effect at all. Well, while it isn’t a landslide victory for patent reformers, there’s a tag for rejected patents that suggests that 24 patents have been denied so far, with several drawing at least partially on answers from Ask Patents. Here‘s one example from 2010:

A computerized method of analyzing weather data to improve the selection of contextually relevant communication, the method comprising:
 1. Automatically receiving geolocation information of a viewer's location;
 2. Receiving weather data relevant to the viewer's location;
 3. Analyzing the weather data to identify a weather condition;
 4. Accessing a database containing multiple available advertisements assigned to weather conditions; and
 5. Selecting a communication associated with the identified weather condition based on a viewer's preference.

In English? Sending ads based on the weather. Sounds boring. Also sounds an awful lot like Weatherbug, an application which has been around since at least 2000, and about a million other weather sites. And, thankfully, the patent office agreed.

24 patents doesn’t sound like a lot, but that represents tens or hundreds of thousands of dollars likely wasted by these companies. That makes me happy!  Why? Because the biggest thing I want out of all this is for companies to stop treating patents as weapons to use against competitors, and status symbols for managers with no direct involvement.

Right now, it’s a gamble, not dissimilar to the VC industry: Apply for a patent and spend a little money upfront, for the potential to make a boatload down the road. It’s a moonshot, but every once in a while they hit the jackpot. The problem is that money is made via dubiously ethical behavior like waiting for lots of people to infringe and then suing when they get successful, instead of actually creating value. At least their lawyers make a lot of money. Direct costs to U.S. businesses have been estimated at $29 billion a year, indirect costs as much as $83. This is grade-A sleezeball material.

So, will my humble daily search for prior art on relatively few patents help? Maybe, maybe not.

Either way, I’d rather do something than nothing.

Am I evil, or is killing patents just plain fun?

The other day I re-discovered this post by Joel Spolsky on Hacker News, entitled “Victory Lap for Ask Patents.” I saw it when he originally posted it a while back, but it didn’t resonate with me at the time.

But re-reading it today, I realized how great an opportunity we, as software developers, have to force patent reform by actively contributing to this project. Ask Patents, if you haven’t heard of it, is a StackExchange site where you can ask questions about patents, or, in my case, respond to requests for prior art that invalidate an overly-broad patent. In my case, I focus on software patents.

I can hear what you’re thinking.

That sounds fucking boring

I know, right? But actually, I’ve found it to be quite a fun little puzzle to decrypt the legalese used by patent lawyers to try to get away with ridiculous patents. Here’s an example patent claim:

“A method comprising:

  1. generating, using a processor, time-based event boundaries detected in a plurality of images;
  2. computing inter-event durations;
  3. grouping events into clusters based on the inter-event durations; and
  4. validating, using a rule-based system, that each event belongs to an associated cluster based on event level content based features.”

Short version: a photo album that groups your photos by the time they were taken.

How hard do you think it was to find examples of prior art? (Hint: it wasn’t)

If you’re still wondering what I’m going on about, then perhaps a different motivator is called for. If you think this shit is boring and pedantic, how do you think someone at the USPTO feels when they have to read it day in and day out, and formally parse and research it to decide whether it should stand?

Let me put this another way – wouldn’t you rather those working for the USPTO were spending their time on legitimate patents? On getting a bunch of those “patent pending” labels off of everything we buy? On crippling the patent trolls, who raise the cost of doing business for anyone who gets successful enough to trespass on one of their dubious “works of genius”?

Well, you can help. Every minute you save the USPTO is another minute they can spend doing things that actually matter. I’m going to start doing it every day. I’ve already done 6 in the last hour. Time will tell whether my contributions actually do anything, but I suspect that, given how unglamorous the work is and how few people generally comment, even a little bit will be appreciated.

So how does this lead to patent reform? My hope is that the community can shred a lot of these useless patents before they take any brain cycles away from a qualified researcher. And if it happens enough, it will start to become clear to everyone involved that the vast majority of software patents are bullshit.

It might sound like a bad, or at least contradictory, idea coming from a programmer, but I genuinely hope (and have some reasons to believe) software patents go the way of the dodo in the next decade.

In fact, I would go so far as to wager the following. I will bet, on pain of writing an entire blog post dedicated to why patents are good, that no one reading this article can find a software patent granted in the last year that actually should exist. The requirements for a good patent are:

  1. Novelty
  2. Non-obviousness

Some software patents may technically be novel, but I’ve yet to find one that I thought was non-obvious. Maybe someone will be able to enlighten me.

Want to help some more? Take it to Twitter with the hashtag #patentreform!

Code red, the ship is on fire

Checking out Hacker News for a refreshing end to my work day, I was instead greeted with the worst of all tech-related bad news: Heartbleed, an exploit in popular versions of OpenSSL allowing attackers anonymous (read: no way to figure out how widely it’s been exploited up to this point) access to 64kb of memory of an affected client or server.

How bad is it? Tor had this to offer in its blog post on the subject:

If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.

Let’s play a doomsday scenario out a little bit:

  1. Attacker compromises the private key to Ubuntu’s (or any other distro’s) package repository
  2. Attacker generates their own certificate and phishes someone with write access
  3. Attacker pushes out legitimate-looking vulnerable versions of all your favorite packages, signed with the proper private key
  4. Attacker can effectively attack any machine that installs that vulnerable package

Let’s try another:

  1. Attacker gets private key for the instant messaging account for a security guy at Google, or their IRC server (thankfully, a Google employee was the one who found it, so at least they were probably first to patch against it)
  2. Attacker listens to all their communications to wait for an opportunity
  3. Attacker initiates a phishing attack using real-sounding information, impersonating an employee
  4. Attacker gets access to Google’s hosted JavaScript libraries, inserts a small keylogger
  5. Every user on every website using Google to include jQuery or other popular libraries gets keylogged

Both of these scenarios require a phishing attack to happen at some point, but even this wouldn’t be necessary. The possibilities are endless. And it’s better than a normal bug! Normal bugs are patched with software updates, and then they’re no longer an issue. Not so with this one. Every key, every password, every everything has to be assumed to have been compromised, and replaced. As you can probably imagine, that will take time.

Why am I posting this? It might seem I’m just predicting doom and giving no solutions. My hope is that you will help me in convincing all the parties affected by this to:

  1. Upgrade their vulnerable versions of OpenSSL
  2. Change all private keys that might’ve been compromised
  3. Generate new SSL certificates where necessary

This isn’t an easy prospect, and many will be slow to do everything necessary to protect against this exploit unless they have motivation to do so. Every day they wait, they potentially put millions of peoples’ sensitive data at risk.

Take it to Twitter using the #OpenSSLBug hashtag! Time is of the essence, and broad awareness is crucial.


You might want to stay off the Internet for a few days, assuming you’re not one of the unlucky few who have to go and clean this mess up.

Updates
Here is a tool to find out if your favorite sites support the vulnerable heartbeat feature, and thus probably need to do damage control. To name a few: Google, Twitter, and Instagram, although others may have simply disabled the feature temporarily, which unfortunately isn’t a complete fix.

Want to find more sites that need to be patched? Google the following, and you’ll begin to see just how deep the rabbit hole goes.

[REMOVED]

OpenSSL is trending on Twitter right now. It looks like people are starting to take notice.

For anyone running a website of their own, here’s a thread on ServerFault describing how to check your OpenSSL version and find any processes that might still be running on the old version once you’ve updated. If you’re running Ubuntu, they still haven’t released the new version, so head over to the OpenSSL site to grab the new version to compile from source. Once you’ve upgraded, restart all the services you get when running

lsof -n | grep ssl | grep DEL

When you’re ready to generate new keys and get new certificates:

Can’t remember all the keys you might need to rotate? Take these for a spin:

sudo find / -name "*.key" -type f
sudo find / -name "*.pem" -type f

This might also be a good time to tweak your webserver to use only secure SSL ciphers.

Introducing: Slowpoke

In the spirit of April Fool’s, but also because I think it might actually make me more productive, I’ve made a Google Chrome extension to slow down Facebook’s timeline feature.

Long for the days of 56k? All this high-speed gigaboot Internets nonsense got you frazzled? Just install Slowpoke in Chrome by going to “chrome://extensions/” and dragging the .crx file onto the page. Instantly, your Facebook addiction will be both sated and abated.

You’re welcome.

(Get it here)